CA/Browser Forum
Home » All CA/Browser Forum Posts » 2021-02-04 Minutes of the CA/Browser Forum Teleconference

2021-02-04 Minutes of the CA/Browser Forum Teleconference

1. Attendees

Ali Gholami (Telia), Andrea Holland (SecureTrust), Arno Fiedler (D-TRUST), Ben Wilson (Digicert), Bruce Morton (Entrust), Chris Kemmerer (SSL.com), Chris McMillan (Visa), Clint Wilson (Apple), Corey Bonnell (DigiCert), Daniela Hood (GoDaddy), David Kluge (Google), Dean Coclin (Digicert), Dimitris Zacharopoulos (HARICA), Doug Beattie (GlobalSign), Dustin Hollenback (Microsoft), Enrico Entschew (D-TRUST), Eusebio Herrera (AC Camerfirma), Hazhar Ismail (MSC Trustgate), Inaba Atsushi (GlobalSign), Jeff Ward (CPA Canada/WebTrust), Jim Gorz (GoDaddy), Johnny Reading (GoDaddy), Jos Purvis (Cisco Systems), Juan-Angel Martin (AC Camerfirma SA), Karina Sirota (Microsoft), Mads Henriksveen (Buypass AS), Michelle Coon (OATI), Mike Reilly (Microsoft), Neil Dunbar (TrustCor Systems), Niko Carpenter (SecureTrust), Noorul Halimin Mansol (PoS Digicert), Patrick Nohe (GlobalSign), Paul van Brouwershaven (Entrust), Pedro Fuentes (OISTE Foundation), Peter Miskovic (Disig), Rebecca Kelley (Apple), Ryan Sleevi (Google), Sebastian Schulz (GlobalSign), Shelley Brewer (Digicert), Stephen Davidson (Digicert), Tadahiko Ito (SECOM Trust Systems), Tim Callan (Sectigo), Tobias Josefowitz (Opera Software AS), Wendy Brown (US Federal PKI Management Authority)

2. Antitrust Statement read by Dean

3. Agenda

The agenda was reviewed

4. Approval of prior minutes

The minutes of January 21st were approved.

5. Forum Infrastructure Update

Jos Purvis gave the update from the last subcommittee meeting. (1) There was a discussion of updates under github. If someone wants experience using github, they can create their own repository and everything will be copied to their account so they can experiment. (2) There was discussion of a bot account which would send periodic summaries of discussions on github, since members are not seeing these discussions on the list now. The bot would collect the discussions and send to the SCWG email list. (3) Sending updates from tools: Github could send out red lines and updates saving the Chair from doing so, automatically. (4) Creation of redlines are difficult with tables. This will get easier with passage of SC40. (5) The wiki SCWG page will have links to master versions of artifacts. If someone needs a copy of the word version, they can get it there. (6) A mind map of the website will be generated for folks to review. (7) Table formatting for BRs. Suggestion to release versions in separate sections for better rendering or balloting. (8) Future things to look at: how to push items to the public website.

6. Code Signing Update

Dean gave the update. Ballot CSCWG-7 was approved and is in IPR review. A suggestion to put high risk requests in the same category for all requests was made by Ian of Microsoft. CAs should check their internal database for prior requests from the customer. If there was a denial before, refer to section 11.7 for how to deal with it. If a key compromise had occurred, step them up to an HSM. Further discussion on using a 3rd-party service to host data related to breaches. Another topic was using CAA to potentially check to see if CA is authorized to issue for the company. There was also a discussion on private key protection and the standards related to this. Further discussion on the next call. Ryan asked if the CSCWG planned to use markdowns in the future. Dean said he will bring this up on the next call.

7. S/MIME Working group update

Stephen Davidson gave the update. A new member has joined the working group from Austria: RundQuadrat, which manufactures email software for mobile devices. The group is focusing on two types of S/MIME certs: (1) multipurpose for legacy purposes and (2) Strict S/MIME only. They are looking at specific cert profiles under these categories.

8. 2021 F2F meeting schedule

Looking for guest speakers for March meeting. Suggestions for topics, speakers sought. June will also be virtual. Beyond that is TBD.

9. Other Business – Membership Applications

Discussion about the application received from AT&T for Interested Party membership. Concern among members that someone with the authority to bind AT&T to the IPR did not sign the agreement nor have the proper authority to do so. Members wanted to be sure the IP obligations are binding. Dean will draft a response for member review before sending to AT&T.

10. Next call

February 18th

Adjourn

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).